Changyi's Blog

AWS Notes

AWS Notes

IAM (Identity and Access Management)

IAM (Identity and Access Management) is the AWS service that controls who can access what within your AWS account.
It’s like the security brain of AWS — defining identities (people or services) and assigning them permissions (what they can or can’t do).

The Four Core IAM Concepts

1. User

A user represents a person or program that interacts with AWS.
Each user has login credentials (for the console) or access keys (for CLI/SDK).

2. Group

A group is a collection of users sharing the same permissions.
Groups simplify permission management — assign a policy once, and all users in that group inherit it.

Note: Groups cannot contain other groups.

3. Role

A role is a temporary identity that AWS services (like EC2, Lambda) can assume to perform actions.
Roles do not have long-term credentials; instead, they grant temporary permissions.

4. Policy

A policy is a JSON document defining what actions are allowed or denied.
Policies are attached to users, groups, or roles to grant permissions.

IAM Policy

An IAM Policy defines the allowed or denied actions within AWS.
It uses a JSON structure with one or more statements, each specifying:

  • Effect: Allow or Deny
  • Action: What AWS operations can be performed
  • Resource: The AWS resources the action applies to

Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    }
  ]
}

The Principle of Least Privilege

Always grant the minimum permissions necessary — nothing more.

By following this principle, you minimize security risks:

  • Prevent unintended access
  • Reduce damage if credentials are compromised
  • Enforce clearer, safer security boundaries

IAM Roles — Permissions for AWS Services

AWS services like EC2, Lambda, or ECS often need to perform actions on your behalf (e.g., uploading files to S3).
Instead of embedding credentials in your code (which is insecure), you use IAM Roles.

Example Scenario

You launch an EC2 instance that uploads logs to S3.

❌ Bad practice: Embed your access keys in code.
✅ Good practice: Attach a role to the EC2 instance with an S3 write policy.

The EC2 instance automatically receives temporary credentials from AWS STS (Security Token Service) and can securely upload logs to S3.

How Users Access AWS

IAM users can interact with AWS in three main ways:

1. AWS Management Console

  • Accessed via username + password
  • Can enable MFA (Multi-Factor Authentication) such as DUO for extra security.

2. AWS CLI (Command Line Interface)

  • Authenticate using Access Keys
  • Useful for scripting and automation.

3. AWS SDK

  • Programmatic access for applications
  • Uses Access Keys to call AWS APIs via SDKs (Python, JavaScript, Java, etc.)
Next →